Replace nextcloud for simple miniflux

2023-05-18 20:46:55 +02:00 · 2023-05-18 20:46:55 +02:00 · 7fba05e4e0
parent 25fd97d270
commit 7fba05e4e0
3 changed files with 93 additions and 3 deletions
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -15,7 +15,7 @@

    ./headscale.nix
    ./gitea.nix
-    ./nextcloud.nix
+    ./miniflux.nix
  ];

  common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine.
--- a/nki-personal-do/miniflux.nix
+++ b/nki-personal-do/miniflux.nix
@ -0,0 +1,86 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  user = "miniflux";
+  host = "rss.dtth.ch";
+  port = 10020;
+
+  secrets = config.sops.secrets;
+
+  configEnv = builtins.mapAttrs (name: value: toString value) {
+    DEBUG = "on";
+    DATABASE_URL = "user=${user} dbname=${user} sslmode=disable host=/run/postgresql";
+    RUN_MIGRATIONS = 1;
+    LISTEN_ADDR = "127.0.0.1:${toString port}";
+    BASE_URL = "https://${host}";
+    HTTPS = true;
+
+    OAUTH2_PROVIDER = "oidc";
+    OAUTH2_CLIENT_ID = "oYF8Y815kQNuuYYdACJmm3kD1hzniMe6fJIDRUfs";
+    OAUTH2_REDIRECT_URL = "https://${host}/oauth2/oidc/callback";
+    OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.dtth.ch/application/o/rss/";
+    OAUTH2_USER_CREATION = 1;
+
+    LOG_DATE_TIME = true;
+
+    FETCH_YOUTUBE_WATCH_TIME = true;
+  };
+
+  package = pkgs.miniflux;
+in
+{
+  sops.secrets."miniflux/oidc-client-secret" = { };
+  sops.secrets."miniflux/pocket-consumer-key" = { };
+  sops.secrets."miniflux/admin-creds" = { };
+
+  cloud.postgresql.databases = [ user ];
+
+  cloud.traefik.hosts.miniflux = {
+    inherit port host;
+  };
+
+  systemd.services.miniflux = {
+    description = "Miniflux service";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "postgresql.service" ];
+
+    serviceConfig = {
+      ExecStart = "${package}/bin/miniflux";
+      User = user;
+      DynamicUser = true;
+      RuntimeDirectory = "miniflux";
+      RuntimeDirectoryMode = "0700";
+      EnvironmentFile = [
+        secrets."miniflux/admin-creds".path
+        secrets."miniflux/oidc-client-secret".path
+        secrets."miniflux/pocket-consumer-key".path
+      ];
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [ "@system-service" "~@privileged" ];
+      UMask = "0077";
+    };
+
+    environment = configEnv;
+  };
+}
+
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@ -26,6 +26,10 @@ gitea:
    signing-key: ENC[AES256_GCM,data:64tLU6rVcCq6CSfVGtFfSc8m89gHFHwGQ4JSHw8p7GqlB7ioHrJVu8o+6u6UPERMfkcHsTG2gTwh7wpblF//bk1+TRyYWSuDnIGl1G7+6FVmJbvLyGJBck0NauW4s5Keiqr2qg38i3y9qy7kPaJGz/2J6cYYSQxB9xy8mtdoxwypGf+zxu1teiUnKmWa89i941s2FZZ+FoQvQCZs/7En3YnxNiDM+lXR4wqbPZPROlYHaVDOgeACBgq8GwNdgAFF7qRLdjxMGgjS3jjlD4QCJlEO6UbqVEBEK7pf4Or4kx/RM2A0rgGNUPpwKu/b5xGTUkA0X7TcZNIcLJ2zred0JIEj0bM7MNrkBIQovHEYLT3m33W1zKTTBC2lgPh90I/tPauIOb1hWHzgjM+LpV8bPkGXIk3BmoxW8eCiFmSjfvxdyS6WVJ6lGOIhaFNl59LyKsljyUmYcauig7/T+ylGyWiPViXuYB4fWxWr1t7Tb6DgY2fJdl5KQHLkDoAylHQ6pOb0l2YUGw1+vvHocMA9KTJeTnhTWAPZLOIFbfZL8sxrWRlpuZvvKdXlOjzKwVgCzWudYJ4jUoPSCmvxpnuCpiPbqaoZyA3Vyx7UCTN7UhKRb99jxEqdTrDPwRL0VlVZUQgLDTMPXHjdoOan06wXmDJEDRDBFsrrpna9wY1uvyPGBBpZ+uQZdxPZfXKQ8HRVHS1dKfyvdIaG/eYUrimF9euhYKYGPH02S6UcU+yQXw5B12HBxLDwS0oF3yWXfTMBsgejWFAuyQkQVJJjAi/Zs+9HJ3FQqr4vl/hUclv/X2XURuPc/jjYziNuOAn6yGhXuNC713SzUOnZlDgEcCkm8DHn5hQ/W4rZGUbSq+y/HUk8GA6XSw8u8H7KDQFnV4l4Chg1cKAf0YSXeinJ2x/RA9GXBvC5FVOM/Cx95arxS57vD578Rkdf/c7UQmuH+6X9YTX8MHVgkpHAGJ+bu2UnQ/hjAvGW6kee4jqefybCTxJm7qcSz1JrG6rS+S+9ZFj8BrXLcSIRlvxotg+FmBjdlqJMj5i0w+cR2f2zXPsmeDC0gmSTV7mYNz9+uMv708xwm26e4/rTT0hS+szLzzz/Ygm9yAkLf9lIS3457IWEjF+LCs9SEq3jfkx5zqpWfOpBCQU9rYKJhvjCVK6a1Hb2PfO4klkuwSNFPwyMHDlEqNmIVUf6uM5p8RVEQy07GsE4ycNtgicC32JGpkotcaU1ByQVbqRXlqJqMJnUEbnWH6qf3Em+wi8eBHmPf1BNjdP3f9BOle+H17/SdKssRbA8o4qQAGVkFzfjybMIh0onB1e15Rt5TUrRDxQAZG+uIsrHEiEOCDED846wO9apeV7wuOKXv2USDhybQhIctcuwxFGQEZWtGGrKzWTlK82Qb8FUM44x2HFj1SK7mIQbU20TcL2bd3b1OZ2kQe16CaT9R0BkpRlPLfiA1ZD7+3DdCyOJxTjutCQgaI1ONQuWn47rDOMbyqZhxs+Gj6bormGEWVRXQpV4VTknN/GyFB2aWQmZF8hGpEBl/t8IfOXDs56kN2Z8W2eKzHZz9u11HQ0eJ05LX2xz5DB+22UZT4bGK6Y3vJtB0+27r7G7hh79Fkapggm61xh3+D593epyW6Ix4hN29KrJWz/s93gi/g==,iv:LlUhINacJf7haxl7i0QI9ALdOFLdLJGbsXgszKVJOVg=,tag:ALkAcUmPFHp8wpI7DVYbiw==,type:str]
 nextcloud:
    admin-password: ENC[AES256_GCM,data:wDL8xCv8/mFQniIRQOR+zl1kArSUXc2KAfCP1jmnidLOYwC4X0d8V60s0hAXCO1gUxNTETjbjBkGlENpvQm8dL94DIshCMyMxFc5gUmrF9qc+omOPT5HF82FgaHnN9N6sH3r19SfoXkMtBROj1V6xlU/lVqx+CiJCSCBfbllYkY=,iv:DGFlXNRXey0dIQVzsg0qkPGxDG+36tcg0BXUQzHfANk=,tag:HdpNO+ikmXo7wtahYwtkDg==,type:str]
+miniflux:
+    oidc-client-secret: ENC[AES256_GCM,data:lvPFzc1ZXOTArs6VfFzJmKjW7pFpWU1XMCzHfUWC8WRq3CTvd6iQSwnGgBmUtHtDJCF1un/32fOaqBtSeMkgt5nkd/j8fLhTrTZyo8hJV2l1p16RBC2C0+igQh8PMah1Yp+V4zTMd5UKYMPkK9Iwb/tJ5zXeqQ20LvmGk+E7lCCVrnyyJrJNwr310mzYaUmpRz9/1AEM,iv:+9yhwYxnB5zPSRjX9o3PRvBpq4hM45jNF3acqT6lSJc=,tag:yMTWbxHlTZgg4XxNjfc8wQ==,type:str]
+    pocket-consumer-key: ENC[AES256_GCM,data:NXY9Y8rFlzCVVG3ATUL/u7Sj6Im1RU/D16toUOLcIfKvddBjlu+QddKXWfLKppV1BQZ0,iv:nf3gkm098UhpZOgMbOdyG1FYVcl5G0gxoI6RTsZ1r14=,tag:bMOYwtFwUJ4SFornsWo8ig==,type:str]
+    admin-creds: ENC[AES256_GCM,data:cBCwwRZR0B8nH7XLxHVZCThqmnUI6ZHFp3wH9TjdRbBTmySjPqU526ltn3lRQtopgqQ0IOuneTztXJ+wfqmLUABV6xlLBkXD7VX6Mf43RtIDyHL+UC56eIdn3xeawGsIjnta,iv:DOwHUL64ufLS7FbvnJCPxPYwMJF1pMPqjx78vltm9IY=,tag:A2Fpk4rI0/WK0jFtTlGhaA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -59,8 +63,8 @@ sops:
            by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
            hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-11T20:46:04Z"
-    mac: ENC[AES256_GCM,data:csUDc036tnmVNQcdmjc4bfDn+BqtpYSmmspF10EW+jUVINO3rLwnx01jrUMoqVZQnxZ3d62ra+afhKAKUtInYxsJLb1uC+EUdKMzz5AFZTMJ4QDoPO7X2JAGqoS15B5k/Tr+PGTSVNINWjWMNQTHS3NDvIKGDyjxxv19sefJ9WY=,iv:L+r1jlmN5yuSu0pQBvF4tvX92Qnmbsn1GGjQnB9CnjE=,tag:gaxNp/RzTOkR/guFjm8lHA==,type:str]
+    lastmodified: "2023-05-18T18:34:18Z"
+    mac: ENC[AES256_GCM,data:9+5M/rTOhL/DXtSYLRjjvF8smhvWQgVE/XLSjwBxv/fCR89ArFNPsf6TC1PCP9eUZb0eThoxr1zkDSBOJD57wRpIbhmDe3/UyNpPTQLnu7Hnj/nvRJYpX49TYhfdT4CH3IzP+m0sopnCvo8DYgNIOKpz7Lhi4x/eCNP8gDzfv4k=,iv:lbXxenPw8EghEvDh8OwMlVfN3gFEa+wT2/Fai/xrzuo=,tag:b+HzElhvF1Rr3BAyLiPQsQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3